Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe
-
Size
338KB
-
MD5
179a81e1174983c3e0daa57cb85d745d
-
SHA1
656b2b7cb178f2cef1ada8dc2197587e680740af
-
SHA256
332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
-
SHA512
2f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59
-
SSDEEP
6144:X44EAEGxYSNuwZN+P0GUcjfmlqLErpeKmDXmBSs0AKUEURq7X13SvPHg:X42pYSJ+Pq8+lh/mDXy0AKUHEz1Cvvg
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\restore_files_gmnoc.txt
http://kwe2342fsd.rt546sdf234re.com/78ACCECC2F2698A
http://awoeinf832as.wo49i277rnw.com/78ACCECC2F2698A
https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A
http://wls3uapur3zjm5gm.onion/78ACCECC2F2698A
Extracted
C:\Program Files\7-Zip\Lang\restore_files_gmnoc.html
https://wls3uapur3zjm5gm.onion.to/78ACCECC2F2698A</a>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (892) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation vcwqkn.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore_files_gmnoc.html vcwqkn.exe -
Executes dropped EXE 1 IoCs
pid Process 1064 vcwqkn.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C" vcwqkn.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admvss_ms = "C:\\Users\\Admin\\AppData\\Roaming\\vcwqkn.exe" vcwqkn.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png vcwqkn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_scale-125.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p2.mp4 vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-150.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-129.png vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\ErrorDot.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-256_altform-unplated.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v1.png vcwqkn.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-400.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\script\bulletin_board_construction.js vcwqkn.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-150_contrast-white.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-72_contrast-white.png vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36_altform-unplated.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-150.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30.png vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.js vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppUpdate.svg vcwqkn.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-125.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-lightunplated.png vcwqkn.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-lightunplated.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-150.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_altform-unplated_contrast-white.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\restore_files_gmnoc.html vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\ormma.js vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\restore_files_gmnoc.txt vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png vcwqkn.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\restore_files_gmnoc.html vcwqkn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcwqkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3584 vssadmin.exe 4088 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings vcwqkn.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2636 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe 1064 vcwqkn.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeSecurityPrivilege 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeDebugPrivilege 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe Token: SeSecurityPrivilege 1064 vcwqkn.exe Token: SeSecurityPrivilege 1064 vcwqkn.exe Token: SeDebugPrivilege 1064 vcwqkn.exe Token: SeBackupPrivilege 2536 vssvc.exe Token: SeRestorePrivilege 2536 vssvc.exe Token: SeAuditPrivilege 2536 vssvc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe 1228 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3828 wrote to memory of 1064 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 82 PID 3828 wrote to memory of 1064 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 82 PID 3828 wrote to memory of 1064 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 82 PID 3828 wrote to memory of 2312 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 83 PID 3828 wrote to memory of 2312 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 83 PID 3828 wrote to memory of 2312 3828 179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe 83 PID 1064 wrote to memory of 3584 1064 vcwqkn.exe 85 PID 1064 wrote to memory of 3584 1064 vcwqkn.exe 85 PID 1064 wrote to memory of 2636 1064 vcwqkn.exe 92 PID 1064 wrote to memory of 2636 1064 vcwqkn.exe 92 PID 1064 wrote to memory of 2636 1064 vcwqkn.exe 92 PID 1064 wrote to memory of 1228 1064 vcwqkn.exe 93 PID 1064 wrote to memory of 1228 1064 vcwqkn.exe 93 PID 1228 wrote to memory of 3936 1228 msedge.exe 94 PID 1228 wrote to memory of 3936 1228 msedge.exe 94 PID 1064 wrote to memory of 4088 1064 vcwqkn.exe 95 PID 1064 wrote to memory of 4088 1064 vcwqkn.exe 95 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 1708 1228 msedge.exe 97 PID 1228 wrote to memory of 4036 1228 msedge.exe 98 PID 1228 wrote to memory of 4036 1228 msedge.exe 98 PID 1228 wrote to memory of 2740 1228 msedge.exe 99 PID 1228 wrote to memory of 2740 1228 msedge.exe 99 PID 1228 wrote to memory of 2740 1228 msedge.exe 99 PID 1228 wrote to memory of 2740 1228 msedge.exe 99 PID 1228 wrote to memory of 2740 1228 msedge.exe 99 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vcwqkn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" vcwqkn.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\179a81e1174983c3e0daa57cb85d745d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Roaming\vcwqkn.exeC:\Users\Admin\AppData\Roaming\vcwqkn.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1064 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:3584
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0b1c46f8,0x7ffc0b1c4708,0x7ffc0b1c47184⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:24⤵PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:34⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:84⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:14⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:84⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:84⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:14⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:14⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:14⤵PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16064099033821524635,2852839732782219080,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:14⤵PID:4588
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
PID:4088
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwqkn.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:5016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\179A81~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:372
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2252
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD54041998a77d16cc643ef1674f66cac2e
SHA12f95ef2609c297e1e6c9fb33849a9605eb81ed7a
SHA256a1cb1978742bebe88a7cc9e1aebfb54fb630daf6fa90723d7233caea85d6721b
SHA5122df14aa66ca270009d7ded7085ddcecb37ac4aa39390fcaea0e2c2c7119eaf75ab6a8e3d1b56f2183c63db3e9b4ad6d432c6185741cc7b8f047c6527ba6fca24
-
Filesize
2KB
MD5c6e20fdbbb08c3dc0dfc9c69d375a166
SHA18e1e64d05fefeb2b2936bf2abd14177635011a6a
SHA256f60d89b34517db789186e9531293f75667820da2d13d7114c97adb1491569b9f
SHA512681d886bfba05025e7132cbcc95f5da08c68bc4b342e829b0aace30f62d6b839c0844170b21d67240f5716ddbf07300a197edd9211ddae27fcc53e2f56fb3684
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD5829693059107f935f965ac5a633c095a
SHA1566b9c9104d9569f4c9b32698d9a0b2fc4bec918
SHA2568291f3bc4cf0e65d30e5cfa6ae72aa6ce1dbe096876f35d23ca3f87e2a6c3161
SHA5125035ee7c57887c7b6f842a46e6e878c57a29cfb0f751189bc49ad8f5754af8a83f239e7c1902b7183c2ce597602541b3b50107c3bd582fb08a9af4a86ca156f2
-
Filesize
6KB
MD51c7b0440625c223d8c37f16a98b7c761
SHA1cf7d919f3d1b8620bd6056d094233f7fc157d300
SHA25651147714a3a14bb35121bc831aacbf08ac02421e855fcdd571ccd9e7420b7f25
SHA512ecc987afd80c34e15a851c9b19698eaf9eac65c417d6907367b4186a198ce77d6f5973c181bff636cc15ca35a9624daff368fddcb7bd2f86f5b108628f8d62a9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d466b245071318f6ecfe052443f0dc84
SHA13c2f9930d02c2a0356f23501affcd92e3a9ee14d
SHA2563696cd88cdbd860d05380cf52663935ad01b5d394106d6f751c11fc5e8772651
SHA51256f84481f2fafd0df705c0b7914432f4f7331497c2f0232ffbf8c70a6fc5decc495d5b3edfc85b8443fe7e4cbc5f9abbc0c613d1db0035136132f4126b0ac246
-
Filesize
338KB
MD5179a81e1174983c3e0daa57cb85d745d
SHA1656b2b7cb178f2cef1ada8dc2197587e680740af
SHA256332c59bfef437e08870e955030bfbbd2e56b3ccf257b87f38c3318f39860de58
SHA5122f0ec1974759cbc3294691d45e50fd66854b6199f35e64743eaad60540cf03f26c001fd229c05b1ecc0300744e76aeeb7967e391dd0b6ecf50984ea788846a59